No worries. PM me for further info.

I think everyone here knows that if you process cards offline then you need to be compliant - what we are really talking about is online complince.

Chris,

Any news from Barclays with regards Secuirty Metrics/PCI Compliance?

Think I've been moved onto their weekly email list now!

I have sent an e-mail to our Business Manager at Barclays this morning.
We take both telephone orders and process payments via Barclays PDQ Machines, and online orders through our website. We use Securehosting.com as our PSP who are PCI Compliant.

http://www.securehosting.com/pci_certificate.pdf

I have questioned that if we have the following:

1. The Network test run by SM which passes.
2. Completed and passed the PCI Compliance Questionnaire (via SM)
3. Use PSP for processing online orders

Then that should be enough to keep barclays happy.

Will let you know the outcome from their reply.

Am beginning to feel that SM are very mis-leading as to what tests you actually do need EVEN if you do use a PSP.

Jees, Gavin. People have been telling you that for MONTHS!!!!
How much convincing do you need??

OK Have just been speaking to a guy who deals with PCI Compliance at Barclaycard, and informed him that we use Secure Hosting as our Payment Service Provider who are PCI DSS Compliant and sent him the link the pdf file (link below).

Explained that because of this we don't to have the website scan run by SM because we do not store/process cardholder data ?

he said that was correct. I asked him to send me an email for confirmation of this, which I have posted below, so I rang up SM, explained I had been talking to someone at Barclaycard, soon as I said that SM were happy to cancel the scan - no quarms, no questions, nothing and got them to cancel our "website scan" and only have the on-going network scan (which is required) because we take mail order payments in-house and store/process card details here...

hopefully this will help some people out, you only need the network scan test if your website takes online orders, and/or you process orders in-house (mail order, etc). U do not need the website scan if you use a PSP, and this is a fact from Barclays PCI DSS Compliance Dept themselves today!

The issues with a website scan was that every quartely scan there was always vunerabilities arising that needed to be dealt with, but the fact is because we use a PSP we did not need to have this scan in the beginning.

Our Web hosting company also informed me for them to do updates to our VPS would be £50+Vat per Hour!

so my understanding is this:

1. If you have an online order website and using a PSP then your Compliant.
2. If you have process orders in-house (mail order, etc) then you need to
complete the PCI DSS Questionnaire and have the SM Network Scan and
Pass this test to be compliant.


Hopefully this will resolve some issues some people have regarding SM and Barclaycard.

I would assume the SM network scan is only be a requirement if the card data was help electronically. If kept on paper and then shredded there would be no need for the network scan either.

Mike

The only person having an issue with SM was YOU - several of us have been telling forum members the same as the letter you posted for the last TWO years. Its only you that elected to believe the SM SCAM and create a fiasco on the forum

A Frankie Howerd vehicle if ever there was one

So what's the score if I take CC details over the phone and process them through the Streamline machine, do they still scan the website?

If it's a VPS why not do it yourself, there's thousands of tutorials online. All it takes is a bit of reading and understanding, provided you know how to copy/paste.

See quote numero uno.

Yeah I would agree with you on that.

@Malcolm, whats with the attitude reply?

Minor amendment to point 1.
1. If you have an online order website and using a PCI DSS compliant PSP* and do not take CC details MOTO then you are operating within the compliancy standards.

The liability rests with the merchant and not the PSP to ensure the PSP they use is compiant, is my understanding!

* http://community.actinic.com/showthr...light=worldpay

I would follow that up with getting confirmation from your PSP
that they are PCI Compliant. I did this with our PSP Secure Hosting. They have their Certificate online in PDF Format.

You took their word for it?